I thought it would be a good idea to have a thread were we post our /usr/local/sbin stuff: post-boot, post-mount, post-firewall, and pre-shutdown. Learning by example is a really good thing.
For those who don't know yet, these files under the Oleg firmware are the router's startup/shutdown system. Use them to make the router do special things when it starts and when it stops.
-----------------------------------
Remember! These files need to be executables (chmod +x filename), and start with #!/bin/sh on the 1st line, in order to work. After you modify them use this command to save them to flash, otherwise all modification will be lost upon reboot:
flashfs save && flashfs commit
-----------------------------------
OK so here goes. I'm using a HDD connected via USB and that's all as far as USB stuff is concerned. Here's my post-boot:
Now post-firewall. Careful with this one! Don't mess with the firewall if you don't know what you're doing!Code:#!/bin/sh # very important! this gives you SSH access to the # router! you most likely don't want to leave it out! dropbear -p 24 -j -k # Make sure the kernel modules needed for the # USB harddrive to work are loaded [ ! -d /dev/discs ] && \ insmod scsi_mod && \ insmod sd_mod && \ insmod usb-storage && \ sleep 5 # Wait for /opt to mount. For 30 seconds I will try # each second to mount the hdd partition that # holds the main system. Be warned that mine is # on the 2nd partition, yours is probably on 1st! # Once it's mounted it will stop trying (common sense). i=0; while [ $i -le 30 ]; do mount /dev/discs/disc0/part2 /opt -t ext3 [ -d /opt/etc ] && break sleep 1 i=$(expr $i + 1) done # Unload kernel modules I'm not using: rmmod printer # If we couldn't mount the HDD just bail out on the # rest of post-boot. All the stuff from this point on # depends on it being mounted. If you have stuff # that will work regardless, put it before this section. [ $i -gt 30 ] && return # Activate swap. Again, be careful. My swap is on # the 1st partition, yours is probably on 2nd. swapon /dev/discs/disc0/part1 # Umount redundant mountpoint umount /tmp/harddisk # If you want syslog to log to a file on the HDD # instead of /tmp/syslog.log (which is in RAM), # here's how you do it: #killall syslogd && \ #/sbin/syslogd -m 0 -O /opt/var/log/messages -S -l 7 # Start a ftp server. If vsftpd is available use that, # otherwise use stupid-ftpd (which is called that for a reason). [ -x /opt/sbin/vsftpd ] && \ /opt/sbin/vsftpd /opt/etc/vsftpd.conf || \ /usr/sbin/stupid-ftpd -f /opt/etc/stupid-ftpd.conf -p /tmp/var/run/stupid-ftpd.pid # Start transmission. I use rtorrent nowadays so # for me it's disabled. #/opt/sbin/transmission_watchdog # Run all active services - active means starts with S /opt/etc/init.d/rc.unslung # Anonymization proxy: Tor and Privoxy /opt/sbin/privoxy --pidfile /opt/var/run/privoxy.pid /opt/etc/privoxy/config /opt/bin/tor & # Start DynDNS automatic updater: /opt/sbin/ddclient & # Start rtorrent: (cd /opt/files/rtorrent && \ /opt/bin/screen -d -m -fn \ /opt/bin/rtorrent -o \ import=/usr/local/root/.rtorrent.rc) &
Finally, pre-shutdown:Code:#!/bin/sh ## FIREWALL SECTION # set default policy (for extra paranoia) iptables -P INPUT DROP # Drop access to certain external ports. Again, # paranoia. My FTP and Asus web interface don't # even use these ports, but just in case I ever # forget, I block them here. iptables -D INPUT -p tcp --dport 21 -j DROP iptables -D INPUT -p tcp --dport 80 -d "$4" -j DROP # Allow access to various router services from WAN. # Below you can see me activating the rtorrent # external port range, a webserver and 27 is SSH: for P in 10000:11000 8000 27; do iptables -I INPUT 1 -p tcp -i "$1" --syn --dport $P -j ACCEPT done # Manual port forwarding. Normally it's done from # the router's web config interface. But if you ever # don't want to do it there for some reason, or need # to do it from the command line without rebooting # the router, here's how. Basically you add a rule # to the VSERVER chain in the nat table. Note the # protocol (-p udp), the interface (-i vlan1), the # destination port (--dport and again at the end of # --to) and the LAN IP that should receive it: iptables -t nat -A VSERVER -p udp -i vlan1 --dport 5904 -j DNAT --to 192.168.123.1:5904 ## WONDERSHAPER SECTION # The wshaper script is an easy to use wrapper # over the tc tool. It will cap your upper download # and upload speed in order to take full advantage # of it and prioritize certain types of LAN traffic # over others (including traffic done by the router # itself. For example, no matter how hard transmission # will download or upload, you'll be able to browse # the web properly from your LAN computer. # the download and upload cap: SPEEDS="10240 1024" # LAN ports to prioritize: PORTS="20 21 22 25 110 143 80 443 587 995 5050 1863 5222 6667" # I try my modified wshaper (see my post in its # thread!) which accepts ports too. The original # whaper only accepted IP's for prioritizing. Except # I don't want bittorrent to eat bandwidth even # when I run it from my LAN station, so I prefer ports. # If my wshaper is not installed I use the original. [ -x /opt/app/local/bin/wshaper ] && \ /opt/app/local/bin/wshaper start $1 $SPEEDS "" "" "" "" "$PORTS" || \ /sbin/wshaper start $1 $SPEEDS # priority ports #20/21:FTP, 22:SSH, 25:SMTP, 110:POP3, 143:IMAP, 80:HTTP, 443:HTTPS #587+995:secure SMTP/POP3, 5050/1863/5222:YM/MSN/Jabber, 6667:IRC # Log the parameters ($1 to $4) to a file. # It's useful when I edit these files and forget # which stands for what. echo "$@" > /usr/local/root/param.log
Code:#!/bin/sh # This one is simple. I send signal INT to rtorrent # to tell it to do a graceful shutdown that will make # it save its hashes and full status. (You need to # enable sessions with session=dir in rtorrent.rc # for this to work!): /bin/kill -INT $(/bin/pidof rtorrent) & # Then I wait for 10 seconds to be sure it died # gracefully. The rtorrent docs say it dies in 5, # I just wanna make extra sure. /bin/sleep 10
Reply With Quote
